Adobe to patch Reader and Acrobat flaws

Security fixes promised for next week

By Jeremy Kirk | 04 May 09

Adobe Systems expects to have patches ready to fix the latest flaws in Acrobat and Reader by next week.

"We are in the process of fixing the issue and expect to make available product updates for the relevant supported Adobe Reader and Acrobat versions and platforms by May 12th," wrote David Lenoe, a security program manager, on Adobe's security blog.

The update will fix the problem in versions 7.x, 8.x and 9.x for Reader and Acrobat on Windows, versions 8.x and 9.x of Reader and Acrobat for Macintosh, and Reader versions 8.x and 9.x for Unix. It will repair bug CVE-2009-1492, which concerns Adobe's implementation of JavaScript in Reader and Acrobat.

That flaw could allow a hacker to create a malicious PDF file that could allow execution of other arbitrary code. Attack code was published last week on the SecurityFocus Web site.

Adobe has also identified a second vulnerability in Reader for Unix, CVE-2009-1493. That will also be fixed in the upcoming updates, Lenoe wrote. That flaw doesn't appear to affect Windows or Macintosh, he wrote.

Until the patches come out, people should disable JavaScript in both of the applications. Under the preferences menu of the "edit" function, JavaScript can be de-selected, which would then stop an attack.

Adobe has battled bugs in Reader and Acrobat for some time. The vulnerabilities are valuable to hackers since they can create malicious documents to exploit the flaw and gain control over a computer. Since PDF files are widely used, there's a higher chance that a victim can be tricked into opening one and ceding control of their computer.